Hmmm. I can find lots of stuff about how to use it, but little on how it works.

I imagine the initial handshake must be over Bluetooth LE owing to the fact they’re not yet on the same WiFi network and that the devices need to be in reasonably close proximity.

It probably goes something like:

“Hey, I’m trying to join SOMENET but don’t know the password”“I know it. Who are you?”“I’m foo@icloud.com”“OK, I know you - you’re in my contacts list. Let me ask my user if they want to let you know the password......Yep. Here you go!”

Of course, there’s no doubt a ton of key-exchange going on. All iCloud leans on PKI quite heavily, so the real conversation isn’t really so naive.

I need to make sure that effectively no one succeeded with this without my authorisation. When I read about a similar Microsoft thing, I used their disable mechanism of suffixing __optout on the end if the SSID. But in this case, I have MAC filtering as a next-level block too, to aid in frustrating such things. (And I do know that MAC addresses can be altered or spoofed.) Unless someone is on the MAC whitelist they can only join the guest SSID and having a WLAN password is not enough for the main SSIDs.

So, if someone comes to your house, opens the WiFi settings on their iOS device and tries to join your network, you’ll be asked if you want to share your WiFi password with them *only if* you have their iCloud email address in *your* contacts. You also must have your devices in close proximity.

Edit: after further reading, it seems that not only must you have their iCloud email in your contacts, they must also have yours. Plus this only exchanges the PSK, not any additional credentials your wlan may require.

Hmm, there are many people in my contacts, but very few are ‘friends’ with whom I would share passwords. My own abode has two wifi networks, one which allows public internet access, and one which also allows access to my private wired lan network. That includes, for example, printer access, so it is a valued privilege.

When aquaintances visit, I freely disclose the password for the public internet. If they ask “what is this other SSID”, I simply explain that it must belong to one of the neighbours. Unless of course they are genuine trusted friends, with a genuine need for access, such as wanting to print a boarding pass. In that case, I slip them a printed copy of the Pass phrase, that I keep hidden under a vase on the mantlepiece.

Your system’s absolutely fine - I would do something similar if I had the inclination!

This would purely replace either the slip of paper for your private WLAN or the need to recite and type the guest network PSK.

If a visitor happens to be someone for whom you both have each other as contacts, and they want to join your guest WLAN, you’re free to ignore the iOS share request and they can type the password manually.

My PSK is 28 characters long. It’s quite easily memorable and easy to recite, but a pain to type. So when I first discovered this feature when my brother-in-law visited, I was quite happy.

My main LAN password is a vile long pig, very strong, but my wife and I memorised it.

Trusted friends get access to the internet only by logging in to my guest SSID, and as mentioned earlier, they would not be successfully even if my wife ill-advisedly gave them the good password, because of MAC address filtering. The guest SSID password is easy to type, short yet strong and is nonsense.

> simply explain that it must belong to one of the neighbours

I have thought of using that one. Luckily it has never so far arisen. Good idea. Since all my SSIDs are not in English, pining visitors users cannot understand them, so they do not ask for access that will not be granted.

Occasionally I find myself reluctantly disclosing the private password as a one-off favour, but it seems a bit cheeky to insist that the “guest” deletes it afterwards, probably with me leaning over their shoulder to make sure they do it properly. Mac filtering might be a less intrusive alternative.

When, if ever, I have the time, I might well take a look to see what my router has to offer wrt mac filters.

I have an L2 firewall feature in my WAPs, as well as the usual kind of MAC address filtering. It’s called ‘isolation’ by ZyXEL and is per-SSID. It allows you to create named objects which can be reused, and each is either a whitelist or blacklist of MAC addresses. With these isolation lists, which are ACLs of a kind, you can specify which devices the members of a group can or cannot talk to. Also in a separate, per-SSID feature, you can prevent devices from talking to one another within a particular group. It was an important feature added in by ZyXEL in an update, buried away in the release notes, and was very welcome.